diff --git a/.tekton/ansible-check.yaml b/.tekton/ansible-check.yaml index ffeac34c..1c55ae17 100644 --- a/.tekton/ansible-check.yaml +++ b/.tekton/ansible-check.yaml @@ -76,7 +76,7 @@ spec: resources: requests: storage: "100Mi" - storageClassName: rook-ceph-block + storageClassName: rook-ceph-block-ci - name: git_auth_secret secret: secretName: "{{ git_auth_secret }}" diff --git a/.tekton/ansible.yaml b/.tekton/ansible.yaml index 0ee98fef..7f3aa90b 100644 --- a/.tekton/ansible.yaml +++ b/.tekton/ansible.yaml @@ -80,7 +80,7 @@ spec: resources: requests: storage: "100Mi" - storageClassName: rook-ceph-block + storageClassName: rook-ceph-block-ci - name: git_auth_secret secret: secretName: "{{ git_auth_secret }}" diff --git a/.tekton/apache-php-image.yaml b/.tekton/apache-php-image.yaml index 318ce08e..3ab48162 100644 --- a/.tekton/apache-php-image.yaml +++ b/.tekton/apache-php-image.yaml @@ -100,7 +100,7 @@ spec: resources: requests: storage: "100Mi" - storageClassName: rook-ceph-block + storageClassName: rook-ceph-block-ci - name: git_auth_secret secret: secretName: "{{ git_auth_secret }}" diff --git a/.tekton/overlay-test.yaml b/.tekton/overlay-test.yaml index 885412ad..af16bc27 100644 --- a/.tekton/overlay-test.yaml +++ b/.tekton/overlay-test.yaml @@ -102,7 +102,7 @@ spec: resources: requests: storage: "100Mi" - storageClassName: rook-ceph-block + storageClassName: rook-ceph-block-ci - name: kubernetes-json-schema volumeClaimTemplate: apiVersion: v1 @@ -115,7 +115,7 @@ spec: resources: requests: storage: "250Mi" - storageClassName: rook-ceph-block + storageClassName: rook-ceph-block-ci - name: git_auth_secret secret: secretName: "{{ git_auth_secret }}" diff --git a/.tekton/terraform-apply.yaml b/.tekton/terraform-apply.yaml index 1dd5a820..91ea23c8 100644 --- a/.tekton/terraform-apply.yaml +++ b/.tekton/terraform-apply.yaml @@ -72,7 +72,7 @@ spec: resources: requests: storage: "500Mi" - storageClassName: rook-ceph-block + storageClassName: rook-ceph-block-ci - name: git_auth_secret secret: secretName: "{{ git_auth_secret }}" diff --git a/.tekton/terraform-plan.yaml b/.tekton/terraform-plan.yaml index 2c6d6515..3f60a47d 100644 --- a/.tekton/terraform-plan.yaml +++ b/.tekton/terraform-plan.yaml @@ -69,7 +69,7 @@ spec: resources: requests: storage: "500Mi" - storageClassName: rook-ceph-block + storageClassName: rook-ceph-block-ci - name: git_auth_secret secret: secretName: "{{ git_auth_secret }}" diff --git a/.tekton/toolbox-image.yaml b/.tekton/toolbox-image.yaml index 93c85b0b..d31773ab 100644 --- a/.tekton/toolbox-image.yaml +++ b/.tekton/toolbox-image.yaml @@ -100,7 +100,7 @@ spec: resources: requests: storage: "100Mi" - storageClassName: rook-ceph-block + storageClassName: rook-ceph-block-ci - name: git_auth_secret secret: secretName: "{{ git_auth_secret }}" diff --git a/.tekton/udi-image.yaml b/.tekton/udi-image.yaml index 8e8a51f4..b759ea18 100644 --- a/.tekton/udi-image.yaml +++ b/.tekton/udi-image.yaml @@ -100,7 +100,7 @@ spec: resources: requests: storage: "100Mi" - storageClassName: rook-ceph-block + storageClassName: rook-ceph-block-ci - name: git_auth_secret secret: secretName: "{{ git_auth_secret }}" diff --git a/containers/apache-php/containerfile b/containers/apache-php/containerfile index 2816d11c..95a5e9d8 100644 --- a/containers/apache-php/containerfile +++ b/containers/apache-php/containerfile @@ -1,6 +1,6 @@ FROM debian:sid-20241202-slim@sha256:2eac978892d960f967fdad9a5387eb0bf5addfa3fab7f6fa09a00e0adff7975d -ENV KICK="1" +ENV KICK="0" LABEL quay.expires-after=${quay_expiration} RUN apt-get update && apt-get install php php-mysql apache2 -y diff --git a/containers/toolbox/containerfile b/containers/toolbox/containerfile index 7ce746a4..afacd3ea 100644 --- a/containers/toolbox/containerfile +++ b/containers/toolbox/containerfile @@ -18,7 +18,7 @@ ENV \ PRETTIER_CLI_VERSION=3.3.3 \ HOME=/tmp \ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/go/bin \ - KICK="0" + KICK="1" RUN rpm -Uvh https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm && \ rpm -ivh https://github.com/opentofu/opentofu/releases/download/v${OPENTOFU_VERSION}/tofu_${OPENTOFU_VERSION}_amd64.rpm && \ diff --git a/kubernetes/ceph/base/file-ci/ceph-filesystem.yaml b/kubernetes/ceph/base/file-ci/ceph-filesystem.yaml new file mode 100644 index 00000000..d73208b5 --- /dev/null +++ b/kubernetes/ceph/base/file-ci/ceph-filesystem.yaml @@ -0,0 +1,50 @@ +apiVersion: ceph.rook.io/v1 +kind: CephFilesystem +metadata: + name: rook-ceph-fs-ci + namespace: rook-ceph + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/sync-wave: "2" +spec: + metadataPool: + replicated: + size: 2 + dataPools: + - name: replicated + replicated: + size: 2 + preserveFilesystemOnDelete: true + metadataServer: + activeCount: 1 + activeStandby: true + resources: + # limits: + # cpu: "3" + # memory: 8Gi + requests: + cpu: "10m" + memory: 128Mi + placement: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/infra + operator: Exists + tolerations: + - key: node-role.kubernetes.io/infra + operator: Exists + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/name: ceph-mds + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/name: ceph-mds diff --git a/kubernetes/ceph/base/file-ci/storage-class.yaml b/kubernetes/ceph/base/file-ci/storage-class.yaml new file mode 100644 index 00000000..3fe045e4 --- /dev/null +++ b/kubernetes/ceph/base/file-ci/storage-class.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: rook-cephfs-ci +# Change "rook-ceph" provisioner prefix to match the operator namespace if needed +provisioner: rook-ceph.cephfs.csi.ceph.com +parameters: + # clusterID is the namespace where the rook cluster is running + # If you change this namespace, also change the namespace below where the secret namespaces are defined + clusterID: rook-ceph + + # CephFS filesystem name into which the volume shall be created + fsName: rook-ceph-fs-ci + + # Ceph pool into which the volume shall be created + # Required for provisionVolume: "true" + pool: rook-ceph-fs-ci-replicated + + # The secrets contain Ceph admin credentials. These are generated automatically by the operator + # in the same namespace as the cluster. + csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner + csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph + csi.storage.k8s.io/controller-expand-secret-name: rook-csi-cephfs-provisioner + csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph + csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node + csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph +allowVolumeExpansion: true +reclaimPolicy: Delete diff --git a/kubernetes/ceph/base/kustomization.yaml b/kubernetes/ceph/base/kustomization.yaml index 53390cab..99906c2e 100644 --- a/kubernetes/ceph/base/kustomization.yaml +++ b/kubernetes/ceph/base/kustomization.yaml @@ -17,6 +17,8 @@ resources: - ./file/storage-class.yaml - ./file/ceph-filesystem.yaml - ./object/storage-class.yaml + - ./file-ci/storage-class.yaml + - ./file-ci/ceph-filesystem.yaml - ./object/ceph-object-store.yaml - ./selinux.yaml - ./rook-rules.yaml diff --git a/kubernetes/kubevirt/base/storage-profile.yaml b/kubernetes/kubevirt/base/storage-profile.yaml index 5b20c1bc..bcb2e28e 100644 --- a/kubernetes/kubevirt/base/storage-profile.yaml +++ b/kubernetes/kubevirt/base/storage-profile.yaml @@ -66,3 +66,37 @@ spec: - ReadWriteMany volumeMode: Filesystem cloneStrategy: csi-clone +--- +apiVersion: cdi.kubevirt.io/v1beta1 +kind: StorageProfile +metadata: + annotations: + argocd.argoproj.io/sync-wave: "3" + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + name: rook-ceph-block-ci +spec: + claimPropertySets: + - accessModes: + - ReadWriteMany + volumeMode: Block + - accessModes: + - ReadWriteOnce + volumeMode: Block + - accessModes: + - ReadWriteOnce + volumeMode: Filesystem + cloneStrategy: csi-clone +--- +apiVersion: cdi.kubevirt.io/v1beta1 +kind: StorageProfile +metadata: + annotations: + argocd.argoproj.io/sync-wave: "3" + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + name: rook-cephfs-ci +spec: + claimPropertySets: + - accessModes: + - ReadWriteMany + volumeMode: Filesystem + cloneStrategy: csi-clone diff --git a/tekton/base/clair-action/clair-action-task.yaml b/tekton/base/clair-action/clair-action-task.yaml index d3c3a8e5..3cd6c89f 100644 --- a/tekton/base/clair-action/clair-action-task.yaml +++ b/tekton/base/clair-action/clair-action-task.yaml @@ -68,9 +68,9 @@ spec: mkdir -p /vuln-store/db/ mkdir -p "${WORKSPACE_DATA_PATH}/clair-scan-report" - echo "Extracting Image" - oc image extract "${DB_IMAGE}" \ - --path "/":"/vuln-store/db" + # echo "Extracting Image" + # oc image extract "${DB_IMAGE}" \ + # --path "/":"/vuln-store/db" echo "Running Clair Action" clair-action report --image-ref=${IMAGE} \ @@ -94,8 +94,10 @@ spec: emptyDir: sizeLimit: 100Mi - name: vuln-store - emptyDir: - sizeLimit: 15Gi + persistentVolumeClaim: + claimName: clair-action-vuln-store-cache + # emptyDir: + # sizeLimit: 15Gi # ephemeral: # volumeClaimTemplate: # metadata: diff --git a/tekton/base/clair-action/cronjob-cache.yaml b/tekton/base/clair-action/cronjob-cache.yaml new file mode 100644 index 00000000..363745f5 --- /dev/null +++ b/tekton/base/clair-action/cronjob-cache.yaml @@ -0,0 +1,70 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: clair-action-cache-db + namespace: homelab +spec: + schedule: "55 */2 * * *" + concurrencyPolicy: Replace + successfulJobsHistoryLimit: 1 + failedJobsHistoryLimit: 1 + suspend: false + startingDeadlineSeconds: 60 + jobTemplate: + spec: + template: + spec: + serviceAccountName: pipeline + automountServiceAccountToken: false + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + containers: + - name: clair-action-cache + image: registry.arthurvardevanyan.com/homelab/toolbox:not_latest + command: + - /bin/bash + - -c + - | + ############################# + ### Clair Action DB Cache ### + ############################# + export DB_IMAGE="registry.arthurvardevanyan.com/homelab/clair-action-db:latest" + mkdir -p /tmp/vuln-store/db + + echo "Extracting Image" + oc image extract "${DB_IMAGE}" \ + --path "/":"/tmp/vuln-store/db" + securityContext: + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + resources: + requests: + memory: "128Mi" + cpu: "50m" + ephemeral-storage: 1Gi + limits: + memory: "256Mi" + cpu: "1000m" + ephemeral-storage: 1Gi + volumeMounts: + - name: tmp + mountPath: /tmp/ + - name: vuln-store + mountPath: /tmp/vuln-store + restartPolicy: Never + volumes: + - name: tmp + emptyDir: + sizeLimit: 1Gi + - name: vuln-store + persistentVolumeClaim: + claimName: clair-action-vuln-store-cache diff --git a/tekton/base/clair-action/cronjob-update.yaml b/tekton/base/clair-action/cronjob-update.yaml new file mode 100644 index 00000000..242dc2d0 --- /dev/null +++ b/tekton/base/clair-action/cronjob-update.yaml @@ -0,0 +1,95 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: clair-action-update-db + namespace: homelab +spec: + schedule: "0 */2 * * *" + concurrencyPolicy: Replace + successfulJobsHistoryLimit: 1 + failedJobsHistoryLimit: 1 + suspend: false + startingDeadlineSeconds: 60 + jobTemplate: + spec: + template: + spec: + serviceAccountName: pipeline + automountServiceAccountToken: false + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + containers: + - name: clair-action-update + image: registry.arthurvardevanyan.com/homelab/toolbox:not_latest + command: + - /bin/bash + - -c + - | + ############################## + ### Clair Action DB Update ### + ############################## + clair-action update --db-path=/tmp/vuln-store/matcher.db + + ################################### + ### Upload Database to Registry ### + ################################### + ./tmp/clair-action-quay-upload/quay.sh + securityContext: + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + resources: + requests: + memory: "4Gi" + cpu: "50m" + ephemeral-storage: 3Gi + limits: + memory: "8Gi" + cpu: "1000m" + ephemeral-storage: 3Gi + volumeMounts: + - name: tmp + mountPath: /tmp/ + - name: vuln-store + mountPath: /tmp/vuln-store + - name: vuln-store-cache + mountPath: /tmp/vuln-store-cache + - name: docker-config + mountPath: /tmp/.docker + - name: clair-action-quay-upload + mountPath: /tmp/clair-action-quay-upload + restartPolicy: Never + volumes: + - name: tmp + emptyDir: + sizeLimit: 3Gi + - name: vuln-store + persistentVolumeClaim: + claimName: clair-action-vuln-store + - name: vuln-store-cache + emptyDir: + sizeLimit: 15Gi + # ephemeral: + # volumeClaimTemplate: + # metadata: + # spec: + # accessModes: ["ReadWriteOnce"] + # storageClassName: "rook-ceph-block-ci" + # resources: + # requests: + # storage: 15Gi + - name: docker-config + secret: + secretName: homelab-push-pull-secret + - name: clair-action-quay-upload + configMap: + name: clair-action-quay-upload + defaultMode: 0777 diff --git a/tekton/base/clair-action/kustomization.yaml b/tekton/base/clair-action/kustomization.yaml index e47d86b0..29efb3f9 100644 --- a/tekton/base/clair-action/kustomization.yaml +++ b/tekton/base/clair-action/kustomization.yaml @@ -3,6 +3,8 @@ kind: Kustomization namespace: homelab resources: - ./cronjob.yaml + - ./cronjob-update.yaml + - ./cronjob-cache.yaml - ./pvc.yaml - ./clair-action-task.yaml generatorOptions: diff --git a/tekton/base/clair-action/pvc.yaml b/tekton/base/clair-action/pvc.yaml index bec5e812..6d1a9284 100644 --- a/tekton/base/clair-action/pvc.yaml +++ b/tekton/base/clair-action/pvc.yaml @@ -9,5 +9,19 @@ spec: resources: requests: storage: 15Gi - storageClassName: rook-ceph-block + storageClassName: rook-ceph-block-ci + volumeMode: Filesystem +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: clair-action-vuln-store-cache + namespace: homelab +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 15Gi + storageClassName: rook-cephfs-ci volumeMode: Filesystem diff --git a/tekton/base/pvc.yaml b/tekton/base/pvc.yaml index 00c5bedd..eb648365 100644 --- a/tekton/base/pvc.yaml +++ b/tekton/base/pvc.yaml @@ -11,5 +11,19 @@ spec: resources: requests: storage: 100Mi - storageClassName: rook-ceph-block + storageClassName: rook-ceph-block-ci + volumeMode: Filesystem +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: cache + namespace: homelab +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 20Gi + storageClassName: rook-cephfs-ci volumeMode: Filesystem